The term ‘Shadow IT’ conjures up images of illicit activity and unsavoury characters lurking in the alleyways of cyber city. I was amused to find that Wikipedia gives alternative names of ‘Rogue IT’ and ‘Feral IT’ – sounds like just another day at the office!

In reality, Shadow IT is mostly not born of the desire to be subversive but is a by-product of an empowered workforce making the best use of technology that is so accessible and simple to use that it seems almost natural to do so. Furthermore, it is often such an organic choice by the non-IT member of staff (or team) that no consideration is given to involving the IT team in the reasoning, decision-making and deployment. This is particularly relevant now, at a time when staff have ‘upskilled’ through the process of working remotely and confidence levels have risen.

Casting a light on Shadow IT

In short, Shadow IT is any IT software, system or hardware that is not approved and provided by the firm’s IT team. I suspect that we may all be surprised by the scale of its use.

Why do staff go this route? As above, it is often just a natural choice but there are other drivers that more often than not relate to the perceived inability of the IT team or the firm’s decision-making processes to:

  • Review and approve the requested solution in good time (approve the budget, agreement, T&Cs, run through the standard due diligence, etc)
  • Provide an alternative ‘approved’ solution that is as efficient, agile, mobile and/or innovative as the suggested option
  • Implement a solution without seeking to ‘gold plate’, over complicating the requirements with integrations, etc
  • Quickly approve/provision a solution that has been requested by a client, putting the member of staff in a difficult position

Most firms will have in place strict security around the download of applications, but this often does not restrict access to online products and applications. Examples of Shadow IT applications include:

  • File sharing sites
  • Online project/task management tools
  • Marketing/web management systems
  • Communications products for voice and video calls

There are also some elements of Shadow IT that involve BYOD hardware such as mobile phones and laptops. Also, the use of internal software such as macros or spreadsheets in a way that was not intended or that by-passes other ‘approved’ processes. This obviously puts Microsoft 365 firmly in the frame as a potential source of Shadow IT.

The benefits of Shadow IT are that the users select and manage products that are specific to their requirement, in theory ensuring that they are as productive and efficient as they can be. They require no external resources and can be used as required. Ideally these outcomes would have a positive impact on profitability.

On a personal and professional level, it demonstrates a proactive approach to innovation and problem-solving, and may unearth solutions that are far more appropriate than those that an IT team may provide, if indeed it is free to look into them.

On the flip side, there are several quite concerning drawbacks.

Security and Data Protection

Law firms have strict border controls around their IT environments and any possibility of breaching those must be investigated and protected against immediately. If the data to be stored or transferred out of the environment contains personal data in respect of individuals then the product and supplier must go through the rigorous due diligence, documentation and testing as is standard when processing data in a new way. Further monitoring and administration must then follow throughout the lifetime of use. User accounts should be centrally managed to ensure that no data is put at risk in the event of a user leaving or changing roles.

This scenario is further exacerbated by most Shadow IT solutions being cloud-based and often also making use of other 3rd party solutions. In the GDPR world data sovereignty is a key component of IT; and Risk & Compliance considerations when onboarding any new solution and control of data across a plethora of systems probably constitute a law firm’s biggest IT risk.

Sometimes users have even signed up to ‘business systems’ in their own name. Often these users do not have appropriate approval levels to make such decisions and therefore are exposing themselves and the firm to significant risk. The employees may risk breaching employment policies and the firm may be risking GDPR fines or even breach of insurance policy agreements.

Microsoft is also putting internal IT teams under pressure with the Microsoft 365 platform. The accessibility of the various applications in M365 has put a range of power tools within easy reach of everyday users, such as PowerApps and PowerAutomate. Furthermore, the Microsoft message is “low code no code”, encouraging everyday users to try their hand at app building and process automation.

}

Process Management

The firm may have already invested in systems and processes to achieve the requirement. The alternative solution found by the individual or team may mean that significant statistical information about activity is lost, that previous investment or time, money and expertise is lost and that the process cannot be monitored for quality and appropriateness.

Potentially the use of alternative solutions will mean that there is duplication in the performance of tasks – data entered twice or in different ways, documents stored in different locations, etc.

Budget Management

Shadow IT creates the risk of duplicate expenditure and/or expenditure that sits within the wrong budget header.  Budget prediction and benchmarking against industry standards therefore becomes much more difficult as does the monitoring of return on investment.

w

IT/Staff Relationship

The use of Shadow IT may indicate a breakdown of communication and trust between the IT team and the user base

So, how do we promote devolved innovation and problem solving whilst maintaining the centralised due diligence and administration that is required?

  1. Educate staff about Shadow IT: the risks as the situation stands and the benefits of achieving the same outcome through a more collaborative approach.
  2. Introduce or amend policies so that they are clear about the implications of using unapproved software or hardware.
  3. Create a forum for innovation that allows all staff to have input and enables a better relationship between staff and the IT team.
  4. Decisions about whether a solution is to be used should be made by a cross functional team and according to a set of principles agreed in advance. Consider creating a Change Board (as part of your Change Strategy or Continuous Improvement Plan) so that it is not seen simply as an IT team decision.
  5. Allocate specific budget for IT innovation as well as a process for monitoring quality, usage, return on investment, etc.
  6. Ensure that staff are aware of all existing products available and that they have sufficient training to be confident about how and when to use them.
  7. Give advice to staff as to when a client requirement for use of a cloud application may create risk, how to address that risk with the client and what alternatives can be offered.
  8. Structure the IT team so that there are resources available to support innovative projects.

If the above points are applied, then ‘Shadow IT’ can very easily shapeshift into ‘IT Innovation’ and we can make best use of the technical expertise and entrepreneurial spirit in our whole workforce.

Written by…

Cathy Kirby

More Talking Points…

Basic cyber security questions for your IT Advisors

Basic cyber security questions for your IT Advisors

A series covering simple questions that you can ask your IT Team/Managed Service Provider (MSP) to help improve security. For many law firms, dealing with cyber prevention can be mind boggling in its complexity.  ‘Attack surfaces’, ‘threat actors’, ‘dark web’ – all...

read more
Baskerville Drummond in elite Band 1 of Chambers new guide

Baskerville Drummond in elite Band 1 of Chambers new guide

Baskerville Drummond is delighted to announced that it has been given a Band 1 rating in Chambers and Partners’ new LawTech Consulting guide. In common with all Chambers’ guides and directories, this is an independent evaluation of market players, with research...

read more